On 15/1/25 03:16, louise9...@gmail.com wrote:
I have built a router and it seems as if no matter what I try I can
never seem to understand how to get NAT Type Open on the Xbox series
S/X devices . I have one example on my pf.conf where I have tried to
use port forwarding according to the openbsd documentation but it
still comes out with NAT Type Strict. I have also tried disabling port
randomization with multiple match rules to no avail. I’ve also tried
playing around with the quick keywords, rule order, using parentheses
around the word egress, changing egress to the actual wan interface
name, and using keywords like static-port at the end of the match
rules, as well as adding port 1024:65535 to either/both egress after
(to) or the device address after (NAT-to)which also didn’t work. I was
able to verify that Upnp does indeed work properly both on the device
and the router. Can someone tell me what I am doing wrong/point me to
the docs that would help with this?
Hi Lewis,
It looks all fine though for fault finding, I'd knock it down to the
basics as something else in the big rule list maybe clobbering your xbox
rules. A couple of points to try:
- You have 2 match outs that are very close meaning your static-port may
not be a perfect match thus the match further up may take precedence
- Your 'pass in rdr-to' maybe missing some undocumented port. Exclude
port mapping for your testing and allow any port to bind. Maybe look at
binat-to for simplicity.
- Turn on logging for your initial 'block all' to see what comes out of
pflog0. There may be traffic not being matched
- I've seen times where 'match out egress' hasn't matched a rule and I
needed to use a 'in tag' on your xbox origin traffic and 'out tagged' to
ensure I hit the appropriate egress rule.
- Remove match scrub to see if that helps.
- You may have a need for 'block drop' but there are plenty of ways
people to know you are there. 'block return' is usually sufficient for
99% of use cases.
I don't have an xbox so I have nothing to test against. Try the above
and see how you get on and report back. I've had to deal with some
pretty garbage traffic over the years and have had no problem molding PF
to deal with it, it is usually a rule somewhere that clobbers the one I
was expecting to be used.
Cheers, Jason.
